Apple Pay, EMV and retailer breach prevention

Could these new developments have helped avoid the Target compromise?

by: Michelle Thornton

Perhaps the most common security question asked about Apple Pay’s tokenization technology and EMV (“chip”) cards is whether they could have prevented the Target breach, the first anniversary of which the industry just marked during the 2014 holiday shopping season.

The short answer is no, but let’s look at what these security technologies can do.

EMV—which secures card-based transactions, using a specialized computer chip housed right in the plastic—couldn’t have prevented the breach itself. But it could have prevented compromised numbers from being used to create counterfeit cards. EMV cards are difficult to reproduce, so fraudsters typically don’t attempt it.

Tokenization—which removes the credit card number from an online, mobile or contactless point-of-sale transaction and replaces it with a randomly generated number–couldn’t have prevented the breach, either. But any tokenized numbers would have been worthless to the fraudsters. Tokenized numbers (at least in Apple Pay) are tied to a specific device (aka phone). So if the fraudsters got the number and tried to use it, the transaction would fail because the unique elements of that device would not be present in the transaction. Behind the scenes, the cryptography used in tokenization would know that this transaction was not initiated from the correct device. Result? Worthless to the thief; card number still protected.

continue reading »